Past, Present and Future of Nuprl Vincent Rahli - - PowerPoint PPT Presentation

Past, Present and Future of Nuprl

Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ May 30, 2017

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 1/72

My collaborators

PRL group Abhishek Anand Mark Bickford Robert L. Constable Richard Eaton Vincent Rahli ATC-NY David Guaspari Matt Stillerman System group Robbert van Renesse Nicolas Schiper Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 2/72

Nuprl Environment

Distributed Runs in the cloud Structure editor Tactic language: Classic ML Shared library

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 3/72

Nuprl Stack

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 4/72

Nuprl Types

Based on Martin-L¨

• f’s extensional type theory

Equality: a = b ∈ T Dependent product: a:A → B[a] Dependent sum: a:A × B[a] Universe: Ui

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 5/72

Nuprl Types

Less “conventional types” Partial: A Disjoint union: A+B Intersection: ∩a:A.B[a] Union: ∪a:A.B[a] Subset: {a : A | B[a]} Quotient: T//E Domain: Base Simulation: t1 t2 Bisimulation: t1 ∼ t2 Image: Img(A, f ) PER: per(R)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 6/72

Nuprl Types

Image type (Nogin & Kopylov) Subset: {a : A | B[a]} Img(a:A × B[a], π1) Union: ∪a:A.B[a] Img(a:A × B[a], π2)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 7/72

Nuprl Types

PER type (extensional) Void = per(λ , .1 0) Top = per(λ , .0 0)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 8/72

Nuprl Types

PER type (extensional) Void = per(λ , .1 0) Top = per(λ , .0 0) halts(t) = Ax (let x := t in Ax) A ⊓ B = ∩x:Base. ∩ y:halts(x).isaxiom(x, A, B) T//E = per(λx, y.(x ∈ T) ⊓ (y ∈ T) ⊓ (E x y))

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 9/72

Nuprl Types

Squashing {Unit | T} Img(T, λ .Ax) per(λx.λy.Ax x ⊓ Ax y ⊓ T) T//True per(λx.λy.x ∈ T ⊓ y ∈ T) ∩x:¬T.Void per(λ .λ .T)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 10/72

Nuprl Types

Recursive types

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 11/72

Nuprl Types Rich type language facilitates specification Makes type-checking harder

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 12/72

Refinements

Nuprl’s proof engine is called a refiner A generic goal directed reasoner:

Example of a rule H ⊢ a:A → B[a] ⌊ext λx.b⌋ BY [lambdaFormation] H, x : A ⊢ B[x] ⌊ext b⌋ H ⊢ A ∈ Ui ⌊ext Ax⌋

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 13/72

Recent projects What evidence do we have that (distributed) systems are correct? What evidence do we have that our proofs are correct?

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 14/72

Recent projects What evidence do we have that (distributed) systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 15/72

Distributed systems are ubiquitous

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 16/72

Distributed Systems What evidence do we have that these systems are correct?

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 17/72

Distributed Systems What evidence do we have that these systems are correct? Type checking Testing

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 18/72

Distributed Systems What evidence do we have that these systems are correct? Type checking Testing

Model checking

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 19/72

Distributed Systems What evidence do we have that these systems are correct? Type checking Testing

Model checking Theorem proving

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 20/72

Distributed Systems Distributed systems are hard to specify, implement and verify.

We need to tolerate failures. It is hard to test all possible scenarios. State space explosion using model checking. Model checking often done on abstractions of the code rather than on the code itself.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 21/72

Distributed Systems We use Nuprl as a specification, programming and verification language.

Programming interface: a constructive specification language called EventML Verification methodology

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 22/72

Distributed Systems

A logic of events implemented in Nuprl. Specified, verified, and generated consensus protocols (e.g., Paxos) using EventML. Aneris: a total ordered broadcast service. ShadowDB: a replicated database with 2 parametrizable replication protocols (PBR & SMR) built on top of Aneris. Improved performance without introducing bugs. We get decent performance.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 23/72

Distributed Systems — Big picture

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 24/72

Distributed Systems — Message sequence diagram

See: Paxos Made Moderately Complex

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 25/72

Distributed Systems — Combinators

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 26/72

Distributed Systems — Combinators

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 27/72

Distributed Systems — Combinators

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 28/72

Distributed Systems — Combinators

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 29/72

Distributed Systems — Combinators

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 30/72

Distributed Systems — Verification

We use causal induction + inductive logical forms (ILFs) + state machine invariants

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 31/72

Distributed Systems — Verification

We use causal induction + inductive logical forms (ILFs) + state machine invariants

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 32/72

Distributed Systems — EventML

EventML for Paxos Synod:

. . . agent Leader = SpawnFirstSc out | | (( LeaderPropose | | LeaderAdopted ) > >= Commander ) | | ( LeaderPreempted > >= Scout ) ; ; main Leader @ l d r s | | Acceptor @ ac c pts Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 33/72

Distributed Systems — Code generation Efficiency?

January 2012: 2 seconds per transaction Revamped the whole system. June 2012: 500 milliseconds per transaction Optimization/compilation to Lisp. End of 2012: 60 milliseconds per transaction (interpreted), 9 milliseconds per transaction (compiled)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 34/72

Distributed Systems — What next?

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 35/72

Correctness What evidence do we have that these distributed systems are correct? What evidence do we have that our proofs are correct?

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 36/72

Correctness What evidence do we have that these distributed systems are correct? Platform to develop and reason about distributed systems. What evidence do we have that our proofs are correct? Building and verifying Nuprl in Coq.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 37/72

Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 38/72

Nuprl in Coq — Our initial motivation We build theorem provers to prove programs’ correctness . . . but don’t use them to prove their own correctness

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 39/72

Nuprl in Coq — Our initial motivation

How do we know that our systems are sound? How do we safely extend them?

◮ Proofs mostly carried out on paper. ◮ Not carried out in full detail. ◮ Spread over several papers/PhD theses. ◮ Precise metatheory, precise account of Nuprl.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 40/72

Nuprl in Coq — Our initial motivation

Agda & Coq

Nuprl

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 41/72

Nuprl in Coq — Our initial motivation

Agda & Coq

Nuprl

How can we be sure that these rules are valid? Nuprl’s PER semantics (where types are defined as partial equivalence relations on terms) in Coq and Agda.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 42/72

Nuprl in Coq — Mechanization and Experimentation!

Mechanization

Experimentation

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 43/72

Nuprl in Coq — What do we cover?

Stuart Allen had his own meta-theory that was meant to be meaningful on its own and needs not be framed into type

• theory. We chose to use Coq and Agda.

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 44/72

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 45/72

Nuprl in Coq — An untyped λ-calculus

Parameterized by a library of definitions Nominal features Lazy exceptions Provides a generic framework for defining and reasoning about programming languages using a “nominal” style

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 46/72

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 47/72

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 48/72

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a) Purely by computation: map(f ,map(g,l)) ∼ map(f ◦ g,l) Used for program optimization

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 49/72

Nuprl in Coq — Howe’s computational equality

is a simulation relation ∼ is a bisimulation relation (a ∼ b = a b ∧ b a) Purely by computation: map(f ,map(g,l)) ∼ map(f ◦ g,l) Used for program optimization and ∼ are congruences Restricts the computation system

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 50/72

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x).

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 51/72

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 52/72

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t Least upper bound principle G(fix(f )) is the lub of the chain G(f n(⊥)) for n ∈ N

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 53/72

Nuprl in Coq — Constructive domain theory

Let ⊥ be fix(λx.x). Least element ∀t.⊥ t Least upper bound principle G(fix(f )) is the lub of the chain G(f n(⊥)) for n ∈ N Compactness if G(fix(f )) converges, then there exists a natural number n such that G(f n(⊥)) converges

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 54/72

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 55/72

Nuprl in Coq — Allen’s PER semantics

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 56/72

Allen’s PER semantics

f1≡f2∈x:A → B type((x:A → B)) ∧ ∀a1, a2. a1≡a2∈A ⇒ f1(a1)≡f2(a2)∈B[x\a1]

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 57/72

Allen’s PER semantics

f1≡f2∈x:A → B type((x:A → B)) ∧ ∀a1, a2. a1≡a2∈A ⇒ f1(a1)≡f2(a2)∈B[x\a1] t1≡t2∈Base t1 ∼ t2 Ax≡Ax∈(a = b ∈ A) type((a = b ∈ A)) ∧ a≡b∈A t1≡t2∈A type((A)) ∧ (t1 ⇓ ⇐ ⇒ t2 ⇓) ∧ (t1 ⇓ ⇒ t1≡t2∈A)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 58/72

Allen’s PER semantics

x1:A1 → B1≡x2:A2 → B2 A1≡A2 ∧ ∀a1, a2. a1≡a2∈A1 ⇒ B1[x1\a1]≡B2[x2\a2]

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 59/72

Allen’s PER semantics

x1:A1 → B1≡x2:A2 → B2 A1≡A2 ∧ ∀a1, a2. a1≡a2∈A1 ⇒ B1[x1\a1]≡B2[x2\a2] Base≡Base (a1 = a2 ∈ A)≡(b1 = b2 ∈ B) A≡B ∧ (a1≡b1∈A ∨ a1 ∼ b1) ∧ (a2≡b2∈A ∨ a2 ∼ b2) A≡B A≡B ∧ (∀a. a∈A ⇒ a⇓)

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 60/72

Allen’s PER semantics

Ternary relations candidate type systems: cts = CTerm → CTerm → per → Univ where per = CTerm → CTerm → Univ

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 61/72

Allen’s PER semantics

Ternary relations candidate type systems: cts = CTerm → CTerm → per → Univ where per = CTerm → CTerm → Univ Type constructors Definition per function (ts : cts) : cts := . . .

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 62/72

Allen’s PER semantics

Ternary relations candidate type systems: cts = CTerm → CTerm → per → Univ where per = CTerm → CTerm → Univ Type constructors Definition per function (ts : cts) : cts := . . . Closure Inductive close (ts : cts) : cts := . . .

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 63/72

Allen’s PER semantics

Ternary relations candidate type systems: cts = CTerm → CTerm → per → Univ where per = CTerm → CTerm → Univ Type constructors Definition per function (ts : cts) : cts := . . . Closure Inductive close (ts : cts) : cts := . . . Universes Fixpoint univi (i : nat) : cts := . . .

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 64/72

Allen’s PER semantics

Fixpoint univi (i : nat) (T T’ : CTerm) (eq : per) : Prop := match i with | 0 ⇒ False | S n ⇒ . . . eq ⇐2⇒ (fun A A’ ⇒ {eqa : per, close (univi n) A A’ eqa}) . . . end.

Has to be in Prop, otherwise we can only define a finite number of universes

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 65/72

Allen’s PER semantics

Definition univ T T’ eq := {i : nat , univi i T T’ eq}. Definition nuprl := close univ.

t1≡t2∈T = {eq : per , nuprl T T eq × eq t1 t2} T ≡T ′ = {eq : per , nuprl T T ′ eq}

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 66/72

Nuprl in Coq — Allen’s PER semantics

Interesting fact: n:N → U(n) is a Nuprl type

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 67/72

Nuprl in Coq — Allen’s PER semantics

Interesting fact: n:N → U(n) is a Nuprl type . . . but it’s not in any universe

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 68/72

Nuprl in Coq — What we’ve implemented in Coq

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 69/72

Nuprl in Coq — Inference rules The more (verified) rules the better

Expose more of the metatheory Encode Mathematical knowledge

We have verified over 70 rules

Gives us the basis for a formally verified Nuprl

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 70/72

Nuprl in Coq — What now?

Support for a library of definitions Experimenting with new types (e.g., PER types) Mendler’s recursive types? Experimenting with new computations Nominal type theory Continuity Bar induction

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 71/72

Nuprl in Coq — What next?

Write a parser Build a verified refiner Type checker/type inferencer? Build a proof assistant

Vincent Rahli Past, Present and Future of Nuprl May 30, 2017 72/72